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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a 
means for confirming services available at the 
time of maintenance for each calculator by a 
maintenance crew himself when he maintains 
the calculators from a remote place and to 
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enable a network access control device to control 
ithe passage or the non permission of 



./'^commimication data according to the operation 
mode of a plurality of calculators. 
SOLUTION: The network access control device 
is set up at an access point between a calculator 
which can be maintained from a remote place 
and an external network. The network access 
control device is provided with operation modes 
corresponding to access control rules of the calculator. When there are a plurality of 
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calculators, each of them is provided with an operation mode. 



CLAIMS 



[Claim(s)] 

[Claim 1]A network access control apparatus which performs communications control 
between computers connected to a network, comprising: 

The access control rule Management Department which makes the mode in which an 
operation plan applied to an access control rule which controls data which 
communicates between connected networks, and a computer to manage is expressed 
correspond, and manages. 

A connection management department which manages a connection according to it with 
the application of an access control rule corresponding to the mode appUed to this 
computer. 

A data communication part which transmits commo data among two or more networks 
only when a connection is permitted. 

[Claim 2]After cancelling an access control rule appKed collectively in claim 1, A 
network access control apparatus having a connection management department which 
bundles up an access control rule corresponding to the specific mode, and is vahdated 
out of two or more access control rules prepared beforehand. 

[Claim 3]A network access control apparatus having a connection management 
department which continues a connection about an already estabUshed connection even 
if it is a candidate for cancellation when changing an access control rule applied 
collectively in claim 2. 

[Claim 4] In a network access control method which controls data communications 
between computers connected to a network, A network access control method which 
apphes to a computer which manages the mode in which correspond to an access control 
rule which specifies data-communications conditions, and an operation plan is 
expressed, tests an access control rule corresponding to this mode, and received data by 
comparison, judges a passing permission, and sends out data. 

[Claim 5]In a network access control method which controls data communications 
between computers connected to a network, A mode conversion table to which the mode 
in which an operation plan applied to an access control rule which controls data 
transmitted between connected networks, and a computer to manage is expressed is 
made to correspond, A network access control method which is based without a 
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computer conversion table to which a computer to manage and this mode are made to 
correspond, judges a passing permission of received data, and sends out or cancels this 
data. 

[Claim 6] In a network access control system which controls data communications 
between computers connected to a network, It applies to a computer which manages the 
mode in which correspond to an access control rule used as a standard of 
data-communications judgment, and an operation plan is expressed, A network access 
control system which controls communication by testing by comparison data received 
from an access control rule and an external computer corresponding to this mode, 
judging a passing permission, and sending out data to a computer to manage. 
[Claim 7]A network access control system which makes two or more computers and 
these modes to manage correspond in claim 6, and controls data communications based 
on it. 

[Claim 8] It is the remote maintenance service provision method performed by remote 
control via a network access control apparatus which controls data communications 
between computers connected to a network, A remote maintenance service provision 
method that a service beneficiary responds to the mode in which an operation plan set 
as a network access control apparatus is expressed, and maintains or manages a 
computer with service which can communicate in this mode. 

[Claim 9] It is the remote maintenance service provision method performed by remote 
control via a network access control apparatus which controls data communications 
between computers connected to a network, A remote maintenance service provision 
method that a service beneficiary responds to the mode in which an operation plan to a 
computer set as a network access control apparatus is expressed, and maintains or 
manages two or more computers with service which can communicate in this mode. 
[Claim 10]It is the remote maintenance service provision method performed by remote 
control via a network access control apparatus which controls data communications 
between computers connected to a network, A remote maintenance service provision 
method that a service beneficiary displays this mode or an operation plan on a screen of 
a purveyor's of service computer, and maintains or manages a computer according to the 
mode in which an operation plan to a computer set as a network access control 
apparatus is expressed. 

[Claim 11]A remote maintenance service provision method displaying a service content 
on a maintenance service screen in claim 10. 

[Claim 12]A remote maintenance service provision method displajdng a computer 
maintained or managed on a maintenance service screen in claim 10. 
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[Claim 13] A remote maintenance service provision method that the mode includes the 
above in claims 8 thm/or 12 even in one inside of an initial mode, onhne mode, 
maintenance mode, a test mode, and monitor run mode. 

[Claim 14] A remote maintenance service provision method of charging a maintenance 
service fee in claims 8 thru/or 13 according to the mode apphed to a computer. 
[Claim 15]A remote maintenance service provision method characterized by charging 
for every computer when charging a maintenance service fee in claims 8 thru/or 13 
according to the mode applied to a computer. 

[Claim 16]A remote maintenance service method which is a remote maintenance service 
method between computers which communicate via a network access control apparatus, 
continues communication and provides service until it establishes a connection between 
computers and communication is completed, even if a service beneficiary changes an 
access control rule during communication. 

[Claim 17] A contents distribution service method of continuing communication 
estabhshed during this period even if it passed over a shelf-life when setting up and 
carrying out service provision of the shelf-life to distribution service in a contents 
distribution service between computers which communicate via a network access 
control apparatus, and providing service. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to a network access control apparatus and 

a method, a system, and a remote maintenance service method. 

[0002] 

[Description of the Prior Art] This kind of access control art is conventionally reahzed as 
a product called a router and a firewall. The rule for carrying out access control 
beforehand is set up, and the passing permission or disapproval of commo data is 
controlled by conventional technology according to the rule. The method with which the 
rule specifies the passing permission or disapproval of commo data based on the 
network address of the computer of a transmission destination is known widely. 
[0003]About the art which maintains a computer from remoteness, maintenance mode 
is provided in a computer as operational mode, Maintenance mode is judged for this 
computer itself, the commo data permitted by maintenance mode is received, and the 
access control art of keeping a computer from receiving mistaken data by not receiving 
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the commo data which is not permitted is widely known for maintenance mode, 
[0004]The packet-filtering device which transmits to the conventional network access 
control apparatus based on the regulation which is a unit of the data which 
communicates between computers, and which investigated the destination or the source 
for every packet, and was given beforehand is known widely. It specializes in the 
operating application program which commumcates, regulation of a communication 
condition is estabhshed to the communication procedure of data, or the kind of data 
which commumcates, and the communication vicarious execution device which 
transmits based on it is known widely. 

[0005]As a device which changes dynamically the rule which specifies transmission 
propriety, each rule was applied to JP,11-167538,A one by one hke a statement. 
[0006] 

[Problem(s) to be Solved by the Invention] However, if the maintenance mode for 
applying a rule is set up by each computer, setting out is complicated, and about the 
computer which cannot set up maintenance mode, a rule must be set up by a firewall. In 
access control rule management, it is a technical problem to enable it to identify the 
purpose of the access control rule which carries out grouping of two or more rules as one 
access control rule, and is appHed to the present network access control apparatus. 
[0007]And when setting up a rule in the access control to two or more computers, it is 
hard to hold which computers are what kind of operation plaii and a security policy. 
Therefore, in a network access control apparatus, it is a technical problem to control 
passage of commo data or disapproval to two or more computers according to the 
operational mode of this computer. 

[0008] When maintaining a computer from a remote place, it is a technical problem to 
provide a means by which the service which a customer engineer can use at the time of 
a maintenance service can be checked for every computer for customer engineer itself. 
[0009] 

[Means for Solving the ProblemJIn order to solve an aforementioned problem, a network 
access control apparatus is formed in a connection point of a computer and an external 
network which make it possible to perform maintenance from remoteness, and 
operational mode corresponding to an access control rule of this computer is provided in 
this network access control apparatus. In the case of a computer which consists of two or 
more computers, operational mode is provided to each computer. 

[0010] Service which can be used via a network access control apparatus at the time of a 
maintenance service is displayed for each computer of every from operational mode 
which a network access control apparatus holds, and an access control rule. 
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[0011] 

[Embodiment of the Invention] As Example 1 of this invention, the operational mode of a 
computer is inputted and the example which carries out access control according to this 
mode is shown in drawing 1 . The computer (301) connected to the 1st network (201) and 
the 1st network, The computer (302) connected to the 2nd network (202) and the 2nd 
network exists, and a network access control apparatus (101) is the composition of 
having connected the 1st network (201) and 2nd network (202). A network access control 
apparatus (101) consists of an access control treating part (102), an access control rule 
(103), and an operational mode input processing part (104). An access control treating 
part (102) receives data from the computer connected to the 2nd network (501), It 
checks by an access control rule (105) (106), it judges [ of this data ] whether a passing 
permission should be carried out, and when carrying out a passing permission, data is 
transmitted to the computer (301) connected to the 1st network (502). A network access 
control apparatus (101) has an operational mode input processing part (104) for 
inputting the operational mode of a computer, and inputs the operational mode of a 
computer (301) to this computer connected to the 1st network (401). An access control 
rule is changed into these operational modes according to the inputted operational mode 
(105). By this method, control of the passing permission of commo data or disapproval 
can be carried out in a network access control apparatus according to the operational 
mode of the computer (301) connected to the 1st network. For example, by online mode, 
it becomes possible to the computer (301) of online mode to make the commo data for an 
examination which is not processed discard with a network access control apparatus. 
[0012]The access control rule (103) before and behind an access control treating part [ in 
/ here / drawing 1 1 (102) and change is realized with the composition shown in drawing 
2. In a network access control apparatus (101), an access control treating part (102-1) 
comprises a data communication part (102-2) and a connection management 
department (102-3). A data communication part (102-2) from the computer (302) 
connected to the 2nd network (202). The connection (404) established with the network 
access control apparatus (101) in order to transmit the data which should be 
transmitted to the computer (301) connected to the 1st network (201), And in order to 
transmit the data which the network access control apparatus (101) received to a 
computer (302), bidirectional communication is relayed to a computer (302) through the 
established connection (403). A connection management department (102-3) controls 
connection of a connection based on the access control rule (103-4) as which the 
estabhshment propriety conditions of the connection were specified. 
[0013]The access control rule (103) shown by drawing 1 i s reaUzed at the access control 
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rule Management Department (103-1) of drawing 2 . The access control rule 
Management Department (103-1) holds two or more access control rules (103-3) with an 
identifier (103-2). 

[0014] Operation of the real original form voice shown in drawing 2 is explained. An 
access control rule (103-3) is prepared beforehand first. An access control rule The IP 
address and port number of a data transmission former computer, And the IP address 
and port number of a transmission destination computer which transmit the IP address 
which receives a connection with the network access control apparatus (101) by which 
this invention is carried, a port number, and the received data are described. These 
description permits establishment of a connection clearly and the connection to which 
an IP address or a port number does not correspond to a descriptive content refuses the 
establishment request of a connection tacitly. An identifier (103-2) is given to an access 
control rule. 

[0015]The description format of the access control rule (103) in drawing 1 i s shown in 
drawing 3 . The identifier (111) an access control rule indicates the classification of a 
protocol to be, The IP address (112) and port number (113) of a computer which permit 
establishment of a connection, The IP address (116) and port number (117) of a 
computer which serve as a transmission destination of data which received with the IP 
address (114) and the port number (115), IP address (114), and port number (115) which 
a network access control apparatus receives are comprised. 

[0016]In drawing 2, one or more access control rules (103-3) are created in accordance 
with the state of a computer (301) or a computer (302), and give an identifier (103-2). 
For example, if the operational mode of a computer (301) is on-Hne, it will be considered 
as the access control rule to which a connection is permitted only from a computer (302) 
to be communicated, and the identifier which shows "online mode" will be given. For 
example, if the operational mode of a computer (301) is a maintenance state, it will be 
considered as the access control rule to which a connection is permitted only to the 
specific port of a computer (301) from a computer (302), and the identifier which shows 
"maintenance mode" will be given. For example, if the operational mode of a computer 
(301) is test mode, it will be considered as the access control rule to which 
communication required for an examination is permitted, and the identifier which 
shows "test mode" will be given. 

[0017]The access control rule Management Department (103-1), With a system 
administrator or the directions from other programs, for example, the access control 
rule changing instruction in drawing 1. (105). The specific access control rule (103-4) 
which has the specified identifier out of the access control rule currently held is shown 



7 



to a connection management department (102-3). 

[0018]A connection management unit (102-3) validates the access control rule (103-4) 
which should apply the contents of the access control rule applied till then to the next 
after repeaUng all. Here, the connection shall be continued unless either a computer 
(301) or a computer (302) cuts a connection clearly, in becoming invalid [ the connection 
already established when the last access control rule became invalid ]. 
[0019]When there is a demand of a connection from a computer (302) to a network 
access control apparatus (101), a connection management department (102-3), The IP 
address of a computer (302) and the information on a port number which are included in 
the demand are acquired, and description with which the IP address (112) shown in 
drawing 3 and a port number (113) agree out of the access control rule (103-4) which is 
effective now is searched. A connection demand is refused when there is no agreeing 
description. When agreeing description exists, a connection management department 
(102-3) establishes a connection to the IP address (116) and port number (117) of a 
destination computer which are shown in drawing 3 i n searched description. Henceforth, 
a data communication part (102-2) relays the data received through the connection 
which continued the connection (403) and the connection (404) and was estabhshed 
until either the computer (301) of drawing 2 o r a computer (302) cuts a connection 
clearly. 

[0020]The access control rule Management Department (103-1) presents the identifier 
of the access control rule (103-4) which the connection management unit has applied 
with a system administrator or the directions from other programs. 
[0021] Not only a single port number but the method which realizes data 
communications from the communication middle like FTP using arbitrary port numbers 
exists in a data communication system. The operation in that case is shown in drawing 
4. When a computer (301) and a computer (302) communicate, a computer (302) 
establishes a connection to the specific port number of a network access control 
apparatus (100) (210-2). A network access control apparatus (100) establishes a 
connection with a computer (301) according to an access control rule (210-1). A computer 
(301) transmits usable arbitrary port numbers to a network access control apparatus 
(100) now (211-1). As for a network access control apparatus (100), self transmits usable 
arbitrary port numbers to a computer (302) like a computer (301) now (211-2). Here a 
network access control apparatus (100), By permitting a connection demand in the 
arbitrary ports usable now which self chose, even when the computer (302) has required 
the connection from a previous port number, a connection can be established 
continuously. 
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[0022]As Example 2 of this invention, the example which applied maintenance mode as 
operational mode of a computer is shown in drawing 5 , The computer 1 (301-1), the 
computer 2 (301-2), and the computer 3 (301-3) are connected to the 1st network (201), 
and a computer has operational mode, respectively. The operational mode of the 
computer 1 (301-1) is maintenance mode, and inputs the information on this operational 
mode into the operational mode input processing part (104) of a network access control 
apparatus (101) (401-1). The operational mode of the computer 3 (301-3) is online mode, 
and inputs the information on this operational mode into the operational mode input 
processing part (104) of a network access control apparatus (101) (401-2). When the 
computer (302) connected to the 2nd network carries out data communications to the 
computer 1 connected to the 1st network, in a network access control apparatus (101). 
the case where it is the data which judged whether it was the data permitted to the 
computer of maintenance mode according to the access control rule (103), and was 
permitted - as long as - data communications are carried out to the computer 1 (502). 
Similarly it judges whether when carrying out data communications to the computer 3, 
it is the data permitted to the computer of onMne mode, and when it is the permitted 
data, it restricts and data communications are carried out to the computer 3. 
[0023]As Example 3 of this invention, the example of mounting of a network access 
control apparatus is shown in drawing 6 - drawing 7 . A network access control 
apparatus (101) consists of an access control treating part (102), an access control rule 
(103), and an operational mode input processing part (104). An access control treating 
part consists of a program (102-4) which performs access control. An access control 
program (102-4) receives the data from the outside (501), The data which described the 
access control rule is read (106), this rule and commo data are tested by comparison, in 
the case of the permitted data, data is relayed (502), and, in the case of the data which is 
not permitted, data is discarded. An operational mode input processing part (104) 
consists of an operational mode input program (104-1), is the operational mode input 
(401) waiting from a computer, and can input operational mode at any time. If 
operational mode is inputted from a certain computer, an access control rule will be 
changed into an access control rule reflecting the information on this operational mode 
(105). Drawing 7 i s an example of the data format (401-3) from a computer to the 
operational mode input processing part for inputting operational mode. It consists of the 
network address (401-4) of a transmitting agency computer, a network address (401-5) 
of a network access control apparatus, and operation mode information of a 
transmitting agency computer. A computer can be specijfied by the network address 
(401-4) of a transmitting agency computer. Operational mode is specified by the 
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operation mode information (401-6) of a transmitting agency computer. As an example 
of operational mode, online mode, maintenance mode, a test mode, etc. are mentioned. 
[0024]As Example 4 of this invention, a computer is shown in drawing 8 about the 
access control system in the case of carrjdng out remote maintenance. A network access 
control apparatus (101) inputs operational mode (401) from the computer (301) 
connected to the 1st network (201), and changes an access control rule (103) by this 
operational mode. The computer (302) connected to the 2nd network (202) inputs 
operational mode (401) and an access control rule (103) from a network access control 
apparatus (101) (402). A computer (302) searches the rule which agrees out of an access 
control rule (103) in the IP address (112) of the transmitting agency computer which the 
IP address of the computer (302) showed by drawing 3 . The IP address (116) and port 
number (117) of a transmission destination computer which were further shown by 
drawing 3 are extracted from these search results, and a service list (511) is created. In 
other words, the extracted information shows the service which a customer engineer can 
use by maintenance respectively via a network access control apparatus (101) about the 
computer (301) which can communicate, and a different computer (303). A customer 
engineer peruses the use propriety of service on the maintenance screen (512) displayed 
based on the service list. The composition and operation of a maintenance screen (512) 
are explained in drawing 9 . A maintenance screen (512) consists of an operational mode 
indicator (521), a computer indicator (522), and a service indicator (523). The 
operational mode inputted from the network access control apparatus (101) shown by 
drawing 8 is displayed on an operational mode indicator (521). The IP address obtained 
by the service list shown by drawing 8 i s displayed on a computer indicator (522). When 
a service list (522) has two or more computers, two or more IP addresses are displayed. 
A customer engineer carries out selection operation of the single IP address from a 
computer indicator (511). The port number obtained from the service list (511) shown by 
drawing 8 about the selected IP address is displayed on a service indicator (523). When 
there are two or more port numbers about the IP address which the customer engineer 
chose into the service list (511), two or more port numbers are displayed. 
[0025]About Example 4 of this invention, the computer name which was beforehand 
defined as the IP address by relating in addition to the IP address may be displayed 
about a computer hst display part (522). The service name which was beforehand 
related with the port number in addition to the port number may be displayed about a 
service indicator (523). An access control rule (103) is holding by a computer (302) 
beforehand, may input only operational mode from a network access control apparatus 
(101) (402), and may create a service list (511). After inputtiag the IP address of a 
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computer (302) to a computer (302), a service list (511) can be created with a network 
access control apparatus, and the computer (302) can also display a maintenance screen 
(512) by transmitting to a computer (302). 

r00261 Drawinpr 10 is an example of the whole system by the side of service provision and 
service enjoyment about remote maintenance service. There are a certain equipment 
and a computer which controls it, and it is connected through the communication line 
via the network access control apparatus to the exterior. And the computer by the side 
of maintenance service can communicate now to a computer or equipment via a 
maintenance service server or a network access control apparatus. Remote maintenance 
services are the maintenance control work of equipment, repair, an offer of information 
which are provided with the protocol corresponding to a port, and the application of the 
protocol. When equipment of A company and B company is used on the occasion of 
management by outsourcing, setting out and employment can be simply performed by 
setting up the mode corresponding to each company to manage in each company As 
equipment, industrial plants, such as power generation equipment and a factory 
production line, etc. are mentioned. 

[0027] Drawing 11 i s an example of a flow when giving its service. Onhne mode is set as 
the computer by the side of service enjoyment, a process control is performed by this, 
and equipment starts operation. The mode set as the computer is registered into a 
network access control apparatus. This registering operation transmits to a network 
access control apparatus from a computer, when the mode is set as a computer (601). 
And it tells that the contents of registration to the network access control apparatus 
changed to a maintenance service server, and registers (602). Since plant control is 
performed by the usual operational status in online mode, the communications control 
rule is set up change the state of the computer currently controlled and not risk a fatal 
mistake. A customer engineer performs the maintenance which is possible in the 
registered online mode. Here, it is supervisory service and it is being supervised 
whether it is normal (604). When equipment breaks down, a computer detects that 
equipment broke down and it is changed from online mode to maintenance mode. The 
control rule is set up be in the state where work for maintenance mode to make 
operation of computers, such as exchange of a program and change of data, changing 
can be performed. A computer registers a mode change into a network access control 
apparatus (605), and a network access control apparatus registers the mode change of a 
computer to a maintenance service server (606). It gets to know that the customer 
engineer which this was supervising by online mode until now checked that registration 
had been changed to maintenance mode (607), and was abnormal, maintenance 
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inspection which is possible in maintenance mode is conducted, and the resiilt is 
reported (608). 

[0028]Although registered with the degree of a mode change to the maintenance service 
server here, when communicating without registering, the information on the mode 

may be communicated. 

[0029]When keeping maintenance mode data from going to computers other than 
maintenance mode, it can protect from remoteness that those who were permitted 
operation transmit commo data to computers other than maintenance mode accidentally. 
[0030]Although what a computer detects that equipment broke down as was mentioned, 
in the surveillance of maintenance service, abnormalities other than the input by 
authorized personnel are checked, and it may enable it to change the mode of a 
computer to the maintenance computer by the side of maintenance service. At this time, 
since the mode in the network access control apparatus which is a firewall will be 
treated, also when other encoding technology needs to be used together from a 
viewpoint of security, it thinks. Thereby in a network access control apparatus, an 
access control rule can be changed without operation of the administrator of this device. 
["OOSll Drawing 12 shows an example of the charging method of the fee of maintenance 
service. If the mode is set up and maintenance service is requested, the maintenance 
service offer side will perform maintenance control in the service which is possible in 
the mode. The fee per time to be for every service is decided, and from the time spent 
with the service, a fee is determined and is charged. Since a service content changes by 
changing the mode, the fee corresponding to the service can receive to receive service to 
receive. A fee may be changed for every computer by forming the mode for every 
computer. As other charging methods, fixed time, such as a monthly contract, has the 
method of using as a fixed fee. 

[0032] It is made to correspond like drawing 13 as an example to which a rule and the 
mode are made to correspond, and is managed with a network access control apparatus. 
It can be necessary to stop setting up the mode by each computer, and only information 
required for each computer can be passed by applying a rule with a network access 
control apparatus by making a rule and the mode correspond and managing with a 
network access control apparatus. Therefore, since it becomes unnecessary to judge 
whether it is required information by each computer, the load of each computer 
decreases. By forming two or more modes in which an operation plan is expressed, a 
rule to apply by changing an operation plan can be replaced without time and effort at 
once. 

[0033]It is made to correspond like drawing 14 as an example to which each computer 
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and its mode are made to correspond, and is managed with a network access control 
apparatus. By setting up the mode for every computer, a rule is [ that it is easy to grasp 
the operation plan of each computer ] easily applicable. It can also be checked whether 
the access control rule for every operational mode is appropriately defined from one 
computer to two or more computers. By making some computers into the same 
computer group on an operation plan, and making them correspond with the mode, it 
can also collect as an operation plan of the system of a computer group. 
[0034]The following is mentioned as a typical example in the mode. 

(1) Initial mode : the state where business oriented applications (plant control program 
etc) are not performed when a computer is started. From this state, it changes to other 
modes. 

(2) Online mode : business oriented appHcation is started and perform plant control. 
The usual operational status. 

(3) Maintenance mode : the state which can perform the work for making operation of 
computers, such as exchange of a program, and change of data, change. 

(4) Test mode : the state where a computer does not issue final control instruction. Data 
receiving from control machinery and transmission of control instruction are performed 
in false. It is used at the time of an operation test. 

(5) Monitor run mode : the state which is received from the plant where the data 
receiving from control machinery is actual unlike a test mode. It is used at the time of 
an operation test. 

[0035] Since the access control rule over the computer managed by changing two or more 
modes or the computer to maintain can be changed, a rule is easily applicable, grasping 
a management operation plan. 

[0036]Maintenance service needs to create the required mode suitably and to carry out 
various services regardless of the mode and the service content which were mentioned 
as the example. 

[Q0371 Drawing 15 is an example showing the flow of rule package application. When 
changing a network access control apparatus from a certain mode to another mode, 
three new rules are applied. When the connection demand from the outside is coming, 
three rules are appMed one by one, but the upper row is a case where package 
apphcation of the rule is not carried out, and the lower berth is a case where package 
apphcation of the rule is carried out. When the communication A and the 
commimication C are needed in communication with the exterior, in the state of [ B ] the 
state A of the upper row, the communication A establishes a connection, and can 
communicate, and the communication C has not established the connection. On the 
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other hand, when carrying out package apphcation of the rule of the lower berth, since 
communication is started after the rule set by the mode is applied, the compatibOity of 
communication of the communication A and the commimication C is good. By validating 
collectively the mode which is an identifier showing an operation plan to apply, and two 
or more corresponding access control rules, after cancelMng the access control rule 
appMed to the managed computer collectively, When an access control rule comprises 
two or more rules, an access control rule can be made to change dynamically, without 
generating the transient state by changing each access control rule one by one. 
[QQ381 Drawing 16 is an example of rule application and connection continuation. If the 
connection demand from the outside comes, a parent process judges communication 
propriety with the rule set in the mode applied to the computer of the communication 
destination, and if communication is good, it will pass communicative work to a child 
process. A child process estabUshes a connection to a connection demand, it 
communicates, and after communication is completed, it closes it. If a child process may 
be generated when receiving the communication which is work from a parent process, 
there may be fi^om the beginning. 

[0039]As the parent process was applied [ the rule set of the communication destination 
computer ], when it has a connection demand, since a rule set finishes being appHed, it 
can carry out package application of the rule by delivering work to a child process. Once 
a child process estabhshes a connection, if it continues and closes communication until 
it closes a connection, it will be in the state of the waiting for work to a parent process. 
As the communication which established the connection is communication, it becomes 
impossible to communicate by closing of the coimection by a rule interchanging by not 
carr3rLng out rule application in the middle of communication. 

[0040]In the packet-filtering device using conventional technology. Since transmission 
of a packet is no longer performed when the access control rule which refuses 
communication is applied, an operating application program may have to detect that 
transmission was interrupted and a series of processings of all to data till then or it may 
have to be repealed. However, about the already established connection, when changing 
the access control rule applied, even if it is a candidate for cancellation, the continuity of 
processing can be secured by continuing a connection. Thereby, by changing an access 
control rule collectively, communication can be continued and service can be provided 
until it estabhshes the connection between computers and communication is completed, 
even if it changes an access control rule during communication. 

[0041]In remote maintenance service, in the case of the method of charging courtesy 
rates as a service period in time after a communicative connection is estabhshed until it 
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closes, if a connection is cut in the middle of maintenance service work, the work to the 
middle must become useless and must redo again. At this time, as a maintenance 
service offer side, the number of time and effort of work will increase, and fees will 
increase in number according to increase of working hours as a service enjoyment side. 
When setting the period which provides contents in the service which distributes data 
from a content provider by a music distribution etc. and charging it, in the service 
provision side, it is possible to change a rule with the end of the service period of a client, 
but. When the client which is a service enjoyment side has established the connection 
from just before a distribution service term, the communication will become useless if a 
connection is cut in the middle of communication. Package application of the rule is 
carried out, by making a connection continue, more positive communication can be 
provided in maintenance service or distribution service, better service can be provided, 
and fee collection corresponding to service can also be carried out. 
[0042] 

[Effect of the Invention] According to this invention, when maintaining a computer from 
remoteness, there is an effect to prevent about judging that in other words a computer is 
[ whose computer is maintenance mode ] in the state which can be maintained, and 
transmitting the data for maintenance to computers other than maintenance mode 
accidentally with a network access control apparatus. 

[0043]It is that the service which becomes easy [ a system administrator ] to check the 
access control rule under application since the access control rule under present 
application can be interpreted semanticaUy, and can be used now is shown in a 
customer engineer, and is effective in not doing trial work for investigating whether its 
service can be given. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 
[Drawing 1] System configuration figure. 

[Drawing 2] Composition of an access control treating part and the access control rule 
Management Department. 

[Drawing 3] The data format of an access control rule. 
[Drawing 41 The communication method which uses two or more ports. 
IDrawing 51T he figure of the computer which consist of computers. 
[Drawing 6] Composition of a network access control apparatus. 
[Drawing 7] Communication data format. 



15 



PPrawing 81T he access control system in remote maintenance work. 

PPr awing 9] Composition of a maintenance screen. 

PPr awing 10] General drawing of remote maintenance service. 

PPrawing lll The flow by the side of maintenance service and service enjoyment. 

[Drawing 12] The flow of the fee collection of maintenance control courtesy rates. 

[Drawing 131 The conversion table of operational mode and an access control rule. 

[Drawing 14] The conversion table of a computer and operational mode 

[Drawing 15] The flow of rule package application. 

[Drawing 16] The example of rule appUcation and connection continuation. 
[Description of Notations] 

101 - A network access control apparatus, 102 - Access control treating part, 103 - An 
access control rule, 104 - An operational mode input processing part, 105 - Rule change, 
106 - Data read, 201-202 - A network, 210 - Connection estabhshment, 211 - Port 
number transmission, 212 - Communication, 301-302 Computer, 401-402 - The input 
of operational mode, 501-502 - Data communications, 511 - A service list, 512 - A 
maintenance screen, 601 - The mode setting by the side of service enjoyment, mode 
registration, an operation system, 602, 606 [ - The equipment failure by the side of 
service enjoyment, mode switching, mode registration, 608 / - An inspection, report 
service. ] -- The mode registration by the side of service provision, 603,607 - A 
registration confirmed, 604 -- Supervisory service, 605 



* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect 
the original precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 
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y F7-^7^-tZ7.$iJiP^g (10 1) f^mi'^t-v 

(4 0 1) t7^'-bXi]'#;I/~;V (10 3) ^A:ti (4 
0 2) f^o ft©^ (3 0 2) its 7^-t:xSiJ»;V-;V 

(1 0 3) It^H (3 0 2) (D I P7FPX 

*^H3T5^LfcMfB7tStmSOI P7FPX (112) 
30 tc^Sf S;l/-;V^^^L. ^M^ie^3b^e.MK:®3T' 
^LfcMfiMt^ao I P7FbX (1 16) tts~h 
#^(117) ;&Wl±lLT1f-ex-K (5 1 1) ^f'p 
mt^o tttBLfcW^gfi, Wv^mntS\ imRti^^y 

hu-'>7^^xmmmm don ^^fVLTjiMRitg 

=S:it^l (3 0 1) fej;tfS/S:§fm^ (3 0 3) (CO 

mts •y-'-ifT.-K^cS'^v^TS^snfdixPiiffi (5 

1 2) ttT+)— if7.<7)iifflRrs^raKt-§o ii9(c*3i^ 
Tfs^iiM (5 12) (Dmj&tmi'^^mmt?>o imm 

40 ffi (5 1 2) its ilf^^:- FSg^g|5 (5 2 1) ts viW 
«^^Sl5(5 2 2) ts ^-exg^g|5(5 2 3) T'Sfig 
f^o ilf'^t- F^^g[5( 5 2 DtCti, H8t?^Lfc^s 
-y F7-^7^-fe7>»gB (1 0 1) ^^SA^bfcil 
{^t-F^g^-r§. t|-^Sa^g|5 (5 2 2) tctt. 0 
8 trc'9--lf X-Kt??f I P 7 F ux^^mmt 
So Sfc. -9— ex-K (5 2 2) t|fiiC<Dff^WS 

mmcol P7Fi^x:&s^-r§o immts 

tf-g«S^g|3(5 1 l)/&^6#-cDI P7FPX^M^^ 

#-r§a -y— ex^g^sp (523) lats mitntc i 

50 P7FbXtOV>T, ia8-e5^Lfc-9--lfX-l (5 1 
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1) ti'p>mct°-hmm^m^t^o ^t-ex-s (5 

1 1) ©If ft, «^fi*^S*RLfcI PTFPXfc'OV^T 

[0 0 2 5] *f|B^cD^WJ4tCOV^Tti, ftga-K 
(5 2 2) fcMLTs I P7FP7.fCi&n^ri^fe 

Tt>J;l/\ If-ex^^gl? (5 2 3) fcMLT, 

iS^^5^LTfe«fcv\ tfc, r^-feXfiW;V-;V (i o 

3) It. ^!6nWW. (3 0 2) iZXUWt^HtH. 
y h^-^r^-bXiJfpgfi (10 1) ^>5.ii{'^t-F 
fclJ^A* (4 0 2) U -y— IfX-K (5 11) 

^LT«>j:v\ th»iS (3 0 2) i3^mwm 

(3 0 2) (D I P7 K-^X^A*Lfdi^ If-^X^l 

(5 11) hy-^r^^-txiMBfcT^M 

U fi-mil (3 0 2) -.Jijfr^iltT. ItSa (3 0 

2) It. w^mm (5 1 2) ^^t^ct^r^t^o 
[002 6]®! oirMmu'^^-^7.^^-\£xmm 

[0 0 2 7] Ell Ht-9--ex§tT5±T-07n-©P 

T-$.§o ■9--ex?§iij(Ditg*c4-y'7'i'yt-F^ 

M$&t-§= ff-Wafc^^tifct-Fti^oy F7-^'T 

^'•txwggfcs^^ni.o c (ommimmwmit 

XiJ^SttfcMfi-r^ (6 0 1) o ^LT^^-y F7-^7 

r^-bxfijii^g'\©s®F«gm^^:bofcii t^m^v 

-ex-y--/^'\t'fi^s@t-s (6 0 2) o ^y^-rv 

9o zcxit^m^~^7.x&io. mm^-^ji^^ii-'Edf)-^ 

^IILTV^§ (6 0 4) o ^«:i)WL/c:^^{iaaii*'« 



(6) !|tM2 0 0 2-1 1 1 7 4 5 
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XiJiPg®cagL (6 0 5) . ^>>y Fy-^'T^'-tX 

|ij»^S{±f«^-9-- ext)--/ wftgaot- F^M^ 
mmt^ (6 0 6) o ctnci:'o^txty=74y^- 

vxm.MLxi^^rcU'^mitU'^'E-Y^tmmt^^'miz 
rji-oTccD^mmL (6 0 7) , mmm-Dtict^^ 

0, IS^t- Ft?Tt§«^^S^tfv^^©ISm^$g^ 
10 (6 0 8) o 

[0 0 2 8] cciT-ti^-F^Mosteilsw-ex-y- 

[0 0 2 9] m^e-viULmmmmKitu'^^E-vy' 

[0 0 3 0] lg#*^i!&ltLfe<D^f|-@il*^^^q-rSfe(D 

20 ^^i^^:fe'l^TSm>£5IEL. fS^1t-ex#JO|tg!l3b^ 
5, «^lt©aot-F^^MTt§d;9fcbTfec!; 

^-bx$ijffl]gg|*|0^- F^fe^ C i:fc:S:§©t?-b4^aL 

cintcj;i9^.>y Fy-^r^-fc: 

[0 0 3 1] H 1 2 ttffi^if-ex©i^^(Ois^:^s© 
-fii^g^-To t'-F^^su*^'9--ex^ftSi-r§ 
30 i;. im^--^7.mmnt^(o^-¥xx%^v—}£x 
x(Dim'em^n^o -9--ex§fcs§^p^^/c d 

#^J*i6T4t3t, ^Oit-eXTa-^tfcBtP^cfcOft^ 
^^^Lm^fSo *-F^^M'r§Ci;l<:j;t)-9--e 

XF«3^/^)^'^t)§£DT\ WfcV^D--ex^gttfct/^^ 

tc, ^<Dif-extm-a-ofc*i^-egij-§ d t^^'-et 

So Sfc, fi-g^ic:'iitt-F^^lt§c:i:fcj;!3#ti- 

[0 0 3 2] jV-jVt^-Y^njts^^^mtLxmi 
40 3®^fc:^j5S$€. ^^«y Fy-^'T^'-bXWgg-Z:-^ 
a^nSo ^-y Fy-^^T^-feXilffliS«T;V-;l/i:t 
- F^MiSS-SWaf § C ^ifc J; #ft^ilTt- F 
^^^■et^:< i:fe^<;S:D, *>y Fy-^T^^-feX^iJ 

pgstT;i/-;i'^3iffl-r § c t J; m\wmc\.t>z- 
X'jm^smmii' ^ 7 *^^iijif l < t t ^ < ^ § © -e^ 
^ctiiii:<^. m^i5U^mw.t^<itxmMLrc\.v\y 

50 [0 0 3 3] Sfc, ^ff-^i:^©t-F^^!fl5SS-&S 
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[0 0 3 4] t-Koft^W^fiaji:bTi*jj^T©mfe 

(1) ■.ffmm^mmLfctt. mm 

(2) :ty5^yt-F :||^ffl7:/^;'^^-i^3y;^)^~s 

(3) K : yuif9J^(Dxnm^'p'f—$i(Dm 

(5) tniS^^yt-F : rXht-Fi;tiS*D, M 
[0 0 3 5] ^^O^-F^tJ0D#^5Ci:tc<J:Dga 

[0 0 3 6] im-^~^7.mncmi'frc^-v'p^-\£ 
xrt§(cHt)n-r\ £^g:&t-F^jii:{'^^L, 

[0 0 3 7] H 1 5 tt;i/-;i/-ffi3ifflo?^n^^-r^jf? 

S§o ^-^y F7-i'7^'-bX$iJiia«^S§t-F;5)^& 
gijot-F'Nii^D^^Siit. iibvvl/-;l/^3o5i 

jiT-tTv^^i\ (I titbit LT©(D;l/-;l/^-Mjiffl-r 
^m^li.. ^-Fti:j:§;l/-;H2y h/^)M$nT3b^6 

iiM^iB^^-r § ©-^51® A tmm c ojiMoM^tt^^m 

jv-j]y^-^LrmmtLrcm. mm Ltci^^mmi^^ 
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[0 0 3 8] HI 6ti;V-;l/5iffltn;t^^->3>'lli|(D 
;l/-tr<y FtejcDfflfiRlS^fiJSifL. jijiRj-efetitf. ? 

[0 0 3 9] mfujiximimMmm(D;i~;i-^^y f 

^ n § ^ffi T n ^ 3 y g^A^'fe o fc l^fc . 
;V-;l/-lry F*^M^n^^3oTA^e.?:/n-tr7;^i;ft 
»^^it?t-r c i: j; D ;l/-;l/^-ffi3iffl T § § „ $ 

[0 0 4 0] lAe*S^lf%fflv^/c^^y>y F7i';l/^';y^' 

moim.'&^muv^^o cmcjco. 7^'-fe7.w;i/ 

■feXiJ»;P-;V:&« D T feftm^iP^© n ^ ^> 3 y 
[0 0 4 1] jsPif^W-trxfcfeV^T. aMon;^;^^ 

X y >y y p ; W 5) -r - ^ * Elf-r § -9- - tr X $3 V ^ 

■9-- ex«#^ii!jT-i± ^ v-r 7 y F tD+i--if x^poi^T 

50 ^SiJT^§^7-r7y F*^EM-9--lf XWUflDeM*^ 
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[0 0 4 2] 

[0 0 4 3] Sfc, 31fe5ifflftJ(D7^'-tX®JlI;l/-;l/^ 

[Hffio^^^iJiH^] 

[0 1 ] i^7.7-mmio 

[02] 7^'-tx»^[iag|5i:7^^-fexSiJ?l;l/-;i/Wa 

[03] r^-tX»V-;l/©x-^7:t-Vy ho 

[04] ^o^'-h^^'r5a«:^s= 
[05] wmwm^^r^mw^omo h 



(8) #^2 0 0 2-1 1 1 7 4 5 
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* [06] *«y hy-^'r^-fexMagoii^o 
[07] mm'f—^y^-'^y ho 
[08] jiPi^^ft^T(D7^-bx»;^So 

[09] mmm(ommo 

[010] ^Pi«^1f-eXcD^^2|c0o 

[011] ^^•9--exiIi:-9--ex^StJ©7n-o 

[01 2] ^^WS+)--ex;pt#cDli#(D7n-„ 
[013] Kif^t- ¥tr^ -fe Xf ir#;l/-;VoMjSSo 
[014] lt^atii#t-FcD>^jS^ 

10 [015] )v-}v-^mm<omM.o 

[016] ;V-;I/jifflfc3#.^i/3y^ilcD0!|o 

[ig^^oM 

1 0 l-^^y hy-^7i'-feX$!ltlSa. 1 0 2-7^7 
■^TMm^mm. 103-7^-bX$iJil;I/-;K 10 4- 
ifif^t- F A;'3®ag|5. 1 0 5-;U-;V^M, 10 6- 
T~'$'m3^&^. 2 0 1-2 0 2-^.-y F7-^, 2 1 
O-nT^^i^aySSii, 2 1 l-.t°-F#^3ifi, 2 1 
2-ji€. 3 0 l~3 0 2-tf^il. 4 0 1-4 0 2- 
F©X;b> 5 0 1-5 0 2 -x-^iifi. 5 1 

1 •-9--ex-R. 5 1 2-immm. e o i 

X^giJOt-Fte ^-Fm KiiMfe 6 0 
2^ 6 0 6--9— exSifltffllKcDt-FS^. 6 0 3. 

6 0 7-SlS5tll> 6 0 4-g|i-y— ex. 6 0 5-1f 

-ex*giij©^«it, t-F^^m. t-FS 
6 0 8-m $g^i^-exo 
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